tap-as-a-service: what you need to know now
TRANSCRIPT
PowerPoint Presentation
April 28, 2016Tap-as-a-service: What you need to know now
In Collaboration With
Copyright PLUMgrid, Inc. 2011-2016
1
IntroductionSpeaker(s)
Sr. Software Engineer PLUMgrid IncKhaliqFawad
2
Distinguished EngineerGigamonRaoAnil
Tech LeadNEC TechnologiesBanerjeeReedip
Experienced ResearcherEricssonYadhavVinay
Sr. Software EngineerMidokuraYamamotoTakashi
Copyright PLUMgrid, Inc. 2011-2016
2
Tap-as-a-Service Introduction Motivation for TaaSProgress so farTaaS Object ModelDemoNext StepsQ&AAgenda
3
Copyright PLUMgrid, Inc. 2011-2016
3
Tap-as-a-ServiceIntroduction
4
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service in OpenStack5Advanced networking service in OpenStack to provide traffic mirroring.API for port mirroring currently.Facilitates tenants/operators to mirror packets from one or more Neutron ports.Neutron port could be a VM, container or baremetal based on backend implementation.
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service in OpenStack6TaaSNeutron
source port 1source port 2TaaS
dest port 1TaaS
User
Copyright PLUMgrid, Inc. 2011-2016Motivation for TaaS
7
Copyright PLUMgrid, Inc. 2011-2016Motivation for TaaS
8Traffic Monitoring Process
Involves placing tap devices at appropriate locations within the network infrastructure and attaching traffic analyzers to them.These analyzers can then see the same packets passing through those network segments, as if they were also inline.A logical tap device can be (easily) constructed using the port-mirroring function of a network switching element.
So, why is it [still] not possible to monitor the activity in OpenStack virtual networks?
Copyright PLUMgrid, Inc. 2011-2016Motivation for TaaS
9Architectural Characteristics of Cloud Platforms
Multi-tenancyLocation IndependencyMulti-tenancy allows available resources and services to be shared among different groups of users.
Each group, known as a tenant, is provided with an environment that is completely isolated from the others.
Members of a tenant are oblivious of the fact that other groups may be co-existing with them.
Multi-tenancy promotes delegation of control in a safe and secure manner.Location independence is primarily concerned with hiding the identities of individual infrastructure components from virtualized workloads.
This has made it possible to relocate running virtual machines from one host to another.
An equally important but less appreciated benefit of location independence is the improved efficiency in resource allocation.
Copyright PLUMgrid, Inc. 2011-2016Motivation for TaaS
10
Tenants are (typically) unaware of the physical hosts on which their VMs are running.VMs belonging to different tenants may be placed on the same host.Tenant virtual networks often extend across multiple hosts.
To avoid the possibility of cross-tenant data leakage, tenants are prevented from directly accessing the controls of the underlying switch fabric.comprising of host-level virtual switches, top-of-rack switches, etc.
Unfortunately, this means that the port-mirroring capability of those switches is also not available.
Copyright PLUMgrid, Inc. 2011-2016Motivation for TaaS
11Desire:A tapping service that will enable a tenant and/or the cloud administrator to safely monitor Neutron ports.The service must ensure that tenant isolation boundaries are not compromised.Port-mirror sessions should transparently span hosts to preserve location independence.
Solution:Tap-as-a-Service is a platform oriented approach that satisfies the above need. It has effectively virtualized port-mirroring, which used to be a switch layer function, and made it available to users of Neutron provisioned networks.TaaS will serve as the basic building block on top of which more complex traffic visibility solutions can be engineered.
Copyright PLUMgrid, Inc. 2011-2016Progress So Far
12
Copyright PLUMgrid, Inc. 2011-2016Progress So Far
13Version 0.1 for TaaS presented in Demo, with successful integration.Source code resides on Github (https://github.com/openstack/tap-as-a-service).Application for inclusion as an official OpenStack project in Governance and as a possible participant in Neutron Stadium.Support for TaaS in Horizon Dashboard (Beta version).TaaS is now available as a CLI with NeutronClient.neutron tap-service-create/neutron tap-service-delete/neutron tap-service-show/neutron tap-service-listneutron tap-flow-create/neutron tap-flow-delete/neutron tap-flow-show/neutron tap-flow-listTempest Jobs for TaaS are functional on the gate.
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model
14
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model
15TAP SERVICERepresents the port on which the mirrored traffic is delivered. Any service (VM) that uses the mirrored data is attached to the port.
TAP FLOWRepresents the port from which the traffic needs to be mirrored.
Multiple TAP FLOW instances can be associated with a single TAP SERVICE instance.
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)16PortPort
InstanceInstance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)17TapServicePortPort
Instance
Instance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)18TapFlowTapServicePortPort
InstanceInstance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)19TapFlowTapServicePortPort
OUT
IN
InstanceInstance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)20TapFlowTapServicePortPort
Mirror Traffic
OUT
IN
OUT
IN
InstanceInstance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Object Model (contd)21TapFlowTapServicePortPort
Mirror
InstancePort
TapFlow
InstanceInstance
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Design (agent based)22
SWITCHING ELEMENT
TaaSAgent Framework
Plugin Service
DRIVERABC
RPC Communication
TaaS API
Tenant /
Administrator
Copyright PLUMgrid, Inc. 2011-2016Tap-as-a-service Design (controller based)23
SDNcontroller
Plugin Service
DRIVERABC
TaaS API
Tenant /
Administrator
Copyright PLUMgrid, Inc. 2011-201624
DEMO
Copyright PLUMgrid, Inc. 2011-2016Demo: Tap-as-a-serviceOverviewEnvironmentUse CasesWhat to ExpectDemonstrate how Tap-as-a-Service can be utilized to monitor network traffic associated with VM instances in an OpenStack cloud.Web traffic analysis.Centralized Intrusion Detection System.The first portion of the demo will show how tap-services and tap-flows can be easily configured via the Horizon Dashboard. Next, we will illustrate how TaaS can play an important role in satisfying the needs of data analytics and security applications.Multi-node DevStack cloud1 Controller node1 Network node2 Compute nodes
This cloud is hosting multiple web-server VM instances whose traffic will be monitored using TaaS. A special monitoring VM is also running in the cloud to receive mirrored traffic and carry out traffic analysis.
Three Linux desktop systems representing end-users interacting with the cloud.
Copyright PLUMgrid, Inc. 2011-2016Next Steps26
Copyright PLUMgrid, Inc. 2011-2016Roadmap
27Policy Based TapSupport external resources like behind L2 GatewayQuota enforcementQoS and TaaS integrationEnhance Tempest TestingRally TestingComplete CI support
Copyright PLUMgrid, Inc. 2011-2016Project Launchpad https://launchpad.net/tap-as-a-serviceProject Git Repository https://github.com/openstack/tap-as-a-serviceWeekly IRC Meeting http://eavesdrop.openstack.org/#Tap_as_a_Service_MeetingIRC #openstack-neutron @ FreenodeJoin TaaS!
28
Copyright PLUMgrid, Inc. 2011-2016
THANK YOU!
Copyright PLUMgrid, Inc. 2011-2016